Microsoft has issued fixes for six publicly disclosed zero-day vulnerabilities in its first monthly Patch Tuesday update of 2022, one of them rated as critical, but none yet being actively exploited.
The single critical zero-day is tracked as CVE-2021-22947, and is a remote code execution (RCE) vulnerability in Open Source Curl, a library and command-line tool used to transfer data via various network protocols. It is present in Windows 10, Server 2019 and later versions.
“An attacker could carry out a man-in-the-middle attack by exploiting how Curl handles cached or pipelined responses from IMAP, POP3, SMTP or FTP servers,” said Maarten Buis of Automox.
“The attacker would inject the fake response, then pass through the TLS traffic from the legitimate server and trick Curl into sending the attacker’s data back to the user as valid and authenticated.
“Automox recommends rolling out this update quickly because of the public disclosure. This disclosure significantly increases the chances of threat actors exploiting this flaw.”
The five other zero-days are CVE-2021-36976, an RCE vulnerability in Libarchive; CVE-2022-21836, a Windows Certificate Spoofing vulnerability; CVE-2022-21839, a denial-of-service flaw in Windows Event Tracing’s Discretionary Access Control List; CVE-2022-21874, an RCE vulnerability in the Windows Security Center API; and CVE-2022-21919, a privilege escalation vulnerability in the Windows User Profile Service.
Redmond’s January 2022 update contains a total of 96 fixes, nine of them ranked as critical, 88 as important and, with the addition of more bugs patched in Microsoft Edge, this brings the monthly total to over 120 – an “unusually large update for January”, according to Dustin Childs of the Zero Day Initiative.
In his monthly Patch Tuesday review, Childs pointed to several other CVEs that warrant attention, in particular CVE-2022-21907, an RCE vulnerability in the HTTP Protocol Stack (http.sys). It is present in Windows 10 and 11, Server 2019 and Server 2022, and has received a critical CVSS rating of 9.8.
Childs said this bug is exploitable by sending specially crafted packets to a system using http.sys to process them. It requires neither user interaction nor additional privileges, and is therefore wormable.
He also urged defenders to attend to CVE-2022-21846, an RCE vulnerability in Exchange Server; CVE-2021-21840, an RCE in Microsoft Office; and CVE-2022-21857, a privilege escalation vulnerability in Active Directory Domain Services.
The January drop comes amid ongoing fall-out from Log4Shell, which continues to pile pressure on defenders more than a month after its disclosure. Bharat Jogi, director of vulnerability and threat research at Qualys, described the current situation as “chaos” as security pros work overtime to protect against Log4Shell exploitation.
“Unpredictable events such as Log4Shell add significant stress to the security professionals dealing with such outbreaks – and bring to the forefront the importance of having an automated inventory of everything that is used by an organisation in their environment,” said Jogi.
“It is the need of the hour to automate deployment of patches for events with defined schedules, for example Patch Tuesday, so security professionals can focus energy to respond efficiently to unpredictable events that pose dastardly risk to an organisation’s crown jewels.”
On top of Log4Shell, other key updates also dropped from Adobe, which fixed 44 CVEs, 22 rated critical; Mozilla, which fixed 18 CVEs, nine rated critical; and SAP, which fixed 35 CVEs, 20 critical, and all of them Log4Shell-linked. A new round of updates from Oracle is incoming next week.